Tokenization and subscriptions

Saving card details is an easy and fast way to improve sales conversion in online and mobile services that accept payments. A returning customer's payment can be done in the simplest way with just a few clicks. Paying with a saved card is as safe as regular card payments.

In this article you will find information about paying with a stored card and frequently asked questions and answers.

What do CIT and MIT payments mean and what is the difference between them?

According to the Payment Services Directive (PSD2), payments made with a stored card are separated into payments initiated by the consumer (Cardholder Initiated Transactions or CIT) and payments initiated by the merchant (Merchant Initiated Transactions or MIT).​​

Technically, in every payment request, the API interface must be informed of which type of request it is.​​

CIT payments

A CIT payment must be used whenever the consumer actively initiates a payment like in an online store. A CIT payment must also be used in situations where the user actively initiates the transaction, even if the actual charging takes place later (e.g. taxi ride, paid parking or getting gas).

  • As a general rule, a CIT payment must always be confirmed using the bank's confirmation method (e.g. the bank's identification app).​​
  • In a CIT payment, the card issuer bears the risk of possible misuse of the card.

MIT payments

A MIT payment is used in situations where the charge takes place without the customer's interaction. These are typically time-based recurring charges, such as monthly charges for an entertainment service. However, recurring billing does not have to be of the same amount (e.g. phone bill), nor does it have to be time-based. The charge can also take place on a transaction basis. For example, driving out of a parking garage.

  • A MIT payment is not subject to the PSD2 regulation's requirement to individual payment confirmation, but can be charged without user interaction​.
  • Since a MIT payment takes place without confirming the payment, the payment risk remains with the merchant.
  • If you use the subscription/recurring billing model (recurring charges), please take make sure to take into account these special requirements.

Saving card details and PSD2

The new Payment Services Directive (PSD2), which entered into force in September 2019, also regulates paying with a stored card. details.

PSD2 requires that when storing card details, the cardholder must always be verified using strong identification. Strong identification takes place with the identification method provided by the card issuer (bank). In Finland, the strong identification of a card payment is usually done using the corresponding bank's identification app.​​

When the user starts paying with their saved card, the card payment must basically be confirmed using the card issuer's confirmation method.​It is possible to request a transaction-specific exception for skipping payment confirmation in certain low-risk payment transactions, such as payments under 30 euros. Granting exceptions always depends on the payment card issuer's ability to handle exception requests and business decisions.​​

When the merchant initiates a card payment independently (e.g. when charging monthly subscriptions), no separate payment confirmation is required.​
The new Payment Services Directive's regulations regarding online card payments have entered into force on December 31, 2020.

Saving cards: FAQ

Can any card be saved for payment and recurring charges?​

Any card from Paytrail's payment method selection can be saved (Visa, Mastercard, Amex).  

Do I have to store card details somewhere and does that create a data security risk?​​

Card details are always stored in the new Paytrail payment service. The online service receives a unique identifier (card token) for the stored card.

The new Paytrail's payment service is a PCI DSS data security certified card system that meets the requirements of banks and card companies for storing card details. Paytrail is responsible for the reliable storage of card details, and the merchant does not incur any data security risk from using this feature.​

Can any service and product be charged repeatedly?​

Card companies have their own regulations on how stored cards can be used for recurring payments. As a starting point, the cardholder must be asked to consent to allow recurring payments and be provided sufficient information how the recurring payments will be handles as well as instructions for canceling the recurring payments.

Was this article helpful?
1 out of 4 found this helpful